DOCSLIB.ORG

Preventing Reflective DLL Injection on UWP Apps

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text

Load more

Preventing Reflective DLL Injection on UWP Apps Mojtaba Zaheri1, Salman Niksefat2, and Babak Sadeghiyan3 1,2,3APA Research Center, Amirkabir University of Technology Abstract - Universal Windows Platform (UWP) is the Microsoft’s recent platform-homogeneous application architecture. It al-lows a code to run on variety of devices including PC, mobile devices, etc., without needing to be rewritten or recompiled. UWP apps are becoming more and more popular and consequently this new application platform is becoming the next attack target for hackers and malware developers. In this paper, we first study the issue of host-based code injection attacks (HBCIA) in UWP apps. We show that de-spite the embedded mechanisms in UWP to maintain code integrity and to only allow legitimate DLLs to be loaded in memory, it is still possible to circumvent the defensive mechanisms and launch a variant of HBCIA called Reflective DLL Injection on UWP apps. We then propose a novel defence mechanism against reflective DLL injection attacks on UWP apps. Our proposed method can detect malicious/benign injection attempts on UWP apps and prevents malicious injections while allowing the benign injections to proceed as normal. Our experiments show that the proposed defence has less than 1% impact on system’s overall performance and can be used inside anti-virus (AV) products to strengthen their protection capabilities. KEYWORDS – DLL Injection, Universal Windows Platform, UWP I. INTRODUCTION executing the code [1]. A recent research in [1] shows that near 64% of the total of 162850 Universal Windows Platform (UWP), first sample malware use HBCIA as part of their introduced in Windows 10, is the Microsoft’s malicious behaviour. platform homogeneous application One strong motivation for using HBCIA by architecture. Its purpose is to allow malware is to evade detection and bypass development of universal applications that run host-based firewalls: Mal-ware usually on a variety of platforms including PC, mobile connect to their C&C 1 servers for sending in- devices, and IoT devices. This relieves the formation and receiving new commands. code from the need to be rewritten or Thus host-based firewalls are generally recompiled for each platform. Similar to sensitive to outgoing connections of locally Android and IOS, this platform has its own running applications and they have rules to proprietary software store through which prevent unknown applications from accessing Microsoft can have more control over the the network. To prevent being caught by the distributed UWP applications. Since its firewalls, new malware generally uses smart release, Microsoft has encouraged the techniques for connecting to the Internet. One software developers to write code in UWP such technique is taking advantage of and the company itself included some UWP HBCIAs, i.e., injecting a software module to applications in Windows 10, including another legitimate running process such as Microsoft Edge browser and Microsoft Mozilla Firefox, Internet Explorer or Google Groove Music. Chrome and communicating using the With rapid popularity of UWP applications injected module. Among these browsers, among soft-ware developers and considering Microsoft Internet Explorer has been more the strong support of Microsoft, UWP apps promising for hackers as it is generally are becoming more and more popular among available in Windows family of operating end users and consequently this new platform systems by default. Moreover, Microsoft- has become the next attack target for hackers Edge, the Microsoft’s new UWP-based and malware developers. One important browser introduced in Windows 10, can be the category of intra-host attacks that can next injection target for malware that are potentially target UWP applications is Host willing to launch a code-injection attack. Based Code Injection Attacks (HBCIA). In this paper, we demonstrate that it is still HBCIA is defined as locally copying a code possible to launch successful DLL injection from a malicious source process into the attacks by a technique called reflective DLL address space of a target process and injection [2][3] despite the new security 41 OIC-CERT Journal of Cyber Security (2018) 1.1:41-52 ISSN 2636-9680 Print Preventing Reflective DLL Injection on UWP Apps mechanisms embedded in UWP framework to countermeasures. In section III, we review the maintain code integrity and prevent un- security mechanisms embedded in UWP apps signed/malicious DLL injections. Then, we that are related to HBCIA attacks. In section propose a defence mechanism against such IV, we demonstrate the methods that can attacks on UWP apps. circumvent the integrity mechanisms of UWP Some currently published methods such as and perform the reflective DLL injection [4][5] try to parse the victim process memory attack in UWP frame-work. In section V, we and find if a malicious DLL is loaded into the present our defensive mechanism to reflective process memory. Then, they try to remove it DLL injection attacks. In section VI, we and clean the memory. How-ever, it’s not a present the results of the evaluation of the sound and complete countermeasure, as the proposed system. Finally, section VII malware is already loaded in the memory and concludes the paper. can do its malicious activities before being removed from the memory. In contrast, in our proposed mitigation, we try to prevent the II. RELATED WORK malware to load the malicious DLL from the very beginning. Another challenge in The works in host-based code injection countering such attacks is that not all code attacks can be classified into methods for injections are malicious. The operating system performing such attacks, and mechanisms for may inject some legitimate DLLs into detection and prevention. In this section, we processes. Moreover, processes may inject review these works and considering the code into their own address space for detection and prevention mechanisms, we purposes like loading plug-ins, etc. Therefore, claim that none of them is suitable for we need a method to distinguish between defending against reflective DLL injection on malicious and benign injections. Our proposed UWP apps. defence mechanism does this with high precision. In case of a malicious injection, it A. Performing HBCIA successfully prevents the DLL to be written into the target process and raises an alarm. On Since these methods have rather a technical the other hand, in case of a benign injection, nature, the concept has received much more the injection proceeds as normal. Finally, by attention in the technical forums rather than taking advantage of PCMark benchmarking the research papers. tool, we show that our proposed technique In [1], the authors have presented a semi- imposes a little overhead on operating system. formal definition for host-based code injection To summarize, our contribution in this attacks that we cited in the introduction. The paper is a mitigation technique against paper has presented the basic idea of the reflective DLL injection on UWP apps that technique in three main steps including I) provides the following original advantages: Victim process selection, II) Code copying, i. It entirely prevents a malware from and III) Code execution. This paper also loading its malicious module into the mentions several motivations behind using target process memory. HBCIAs including interception of critical ii. The proposed mechanism is very information, privilege escalation, and efficient as it only monitors and detection avoidance. modifies the behaviour of one API In [6], a classification on various DLL (NtWriteVirtualMemory), which Injection techniques is presented. This paper leads to a very low overhead on the system performance. classifies these techniques as follows: iii. It doesn’t have any effects on normal CreateRemoteThread [7], Creating a Proxy DLL injections, as it’s possible to DLL [8], Modification of Windows Registry load legitimate/signed DLLs into [9], Windows Hooks [10][11], Using a target UWP apps through calling the Debugger [12], Patching the IAT [13] and LoadLibrary API. Reflective Injection [2][14]. This paper is organized as follows: In Most of the above techniques can’t be used section II, we re-view related work including to inject into UWP apps because the HBCIA methods and the existing LoadLibrary API has been limited by UWP 42 OIC-CERT Journal of Cyber Security Preventing Reflective DLL Injection on UWP Apps framework code integrity mechanism. process, it interrupts the process and loads a However, a specific type of DLL Injection monitoring module that later checks the API called Reflective Injection which was call patterns in the target process to see if its behavior is malicious. However, the proposed introduced in [2] can be used to circumvent method is only effective against Trojan this mechanism. This method can load a DLL downloaders. on UWP apps through the concept of Also, Detecting the Code Injection Engine reflective programming without directly using (DCIE) [19] tries to reject all the suspicious LoadLibrary API. In section 4, further details thread creating calls by hooking APIs and about this technique is presented. tracing three main steps of code injection attacks: allocating memory, writing to the memory, and creating the thread. Although B. Detecting and Preventing HBCIA this method prevents the injection attacks, it Since the HBCIAs need to have local has two major weaknesses; access to the tar-get system, these types of attacks had not been considered very i. It rules out injection of legitimate and hazardous in the past. However, the advances signed DLLs, and in HB-CIA techniques and ever-increasing ii. It hooks three APIs, which decreases number of malwares in recent years have system’s performance. motivated the security researchers to work on In case of reflective injection, the articles mitigation mechanisms for these attacks. In [20][21] propose ideas to check the memory the following, we review some of these of running processes periodically and search methods.
Recommended publications
  • Cygwin User's Guide

    Cygwin User's Guide

    Cygwin User’s Guide Cygwin User’s Guide ii Copyright © Cygwin authors Permission is granted to make and distribute verbatim copies of this documentation provided the copyright notice and this per- mission notice are preserved on all copies. Permission is granted to copy and distribute modified versions of this documentation under the conditions for verbatim copying, provided that the entire resulting derived work is distributed under the terms of a permission notice identical to this one. Permission is granted to copy and distribute translations of this documentation into another language, under the above conditions for modified versions, except that this permission notice may be stated in a translation approved by the Free Software Foundation. Cygwin User’s Guide iii Contents 1 Cygwin Overview 1 1.1 What is it? . .1 1.2 Quick Start Guide for those more experienced with Windows . .1 1.3 Quick Start Guide for those more experienced with UNIX . .1 1.4 Are the Cygwin tools free software? . .2 1.5 A brief history of the Cygwin project . .2 1.6 Highlights of Cygwin Functionality . .3 1.6.1 Introduction . .3 1.6.2 Permissions and Security . .3 1.6.3 File Access . .3 1.6.4 Text Mode vs. Binary Mode . .4 1.6.5 ANSI C Library . .4 1.6.6 Process Creation . .5 1.6.6.1 Problems with process creation . .5 1.6.7 Signals . .6 1.6.8 Sockets . .6 1.6.9 Select . .7 1.7 What’s new and what changed in Cygwin . .7 1.7.1 What’s new and what changed in 3.2 .
  • How to Change Your Browser Preferences So It Uses Acrobat Or Reader PDF Viewer

    How to Change Your Browser Preferences So It Uses Acrobat Or Reader PDF Viewer

    How to change your browser preferences so it uses Acrobat or Reader PDF viewer. If you are unable to open the PDF version of the Emergency Action Plan, please use the instructions below to configure your settings for Firefox, Google Chrome, Apple Safari, Internet Explorer, and Microsoft Edge. Firefox on Windows 1. Choose Tools > Add-ons. 2. In the Add-ons Manager window, click the Plugins tab, then select Adobe Acrobat or Adobe Reader. 3. Choose an appropriate option in the drop-down list next to the name of the plug-in. 4. Always Activate sets the plug-in to open PDFs in the browser. 5. Ask to Activate prompts you to turn on the plug-in while opening PDFs in the browser. 6. Never Activate turns off the plug-in so it does not open PDFs in the browser. Select the Acrobat or Reader plugin in the Add-ons Manager. Firefox on Mac OS 1. Select Firefox. 2. Choose Preferences > Applications. 3. Select a relevant content type from the Content Type column. 4. Associate the content type with the application to open the PDF. For example, to use the Acrobat plug-in within the browser, choose Use Adobe Acrobat NPAPI Plug-in. Reviewed 2018 How to change your browser preferences so it uses Acrobat or Reader PDF viewer. Chrome 1. Open Chrome and select the three dots near the address bar 2. Click on Settings 3. Expand the Advanced settings menu at the bottom of the page 4. Under the Privacy and security, click on Content Settings 5. Find PDF documents and click on the arrow to expand the menu 6.
  • Windows 10-New Features & Apps

    Windows 10-New Features & Apps

    Windows 10-New Features & Apps By Tom Krauser This article discusses some of the new features and apps that come packaged in Windows 10. It is only a brief summary of these features. For more information you can search the internet or check YouTube for instructional videos on your topic of interest. The following links provide some good basic information on Windows 10 and should be helpful to you. https://support.microsoft.com/en-us/products/windows?os=windows-10 https://support.microsoft.com/en-us/help/4043948/windows-10-whats-new-in-fall-creators-update-1709 The following article from PC World Magazine provides articles on a lot of new features in Windows 10. https://www.pcworld.com/tag/windows10/ The following article by CNET discusses some of new features in the latest update to Windows 10. https://www.cnet.com/how-to/windows-10-tips-best-features/ Alarms & Clocks: A combination of alarm clock, world clock, timer, and stopwatch. Set alarms and reminders, check times around the world, and time your activities, including laps and splits. The following link discusses how to set timers, alarms, and stopwatches: https://www.howtogeek.com/225211/how-to-set-timers-alarms-and-stopwatches-in-windows-10/ Camera: Many modern devices with Windows include a webcam and, to use it, you need an app that helps you take pictures, record videos or stream video while video chatting. For this purpose, Microsoft has built an app called Camera, which is available by default in Windows 10. Connect: Use Connect App to Cast Your Smartphone Screen to Your PC.
  • Quick Guide Page | 1

    Quick Guide Page | 1

    Quick Guide Page | 1 Contents Welcome to Windows 10 ................................................................................................................................................................................................... 3 Key innovations ...................................................................................................................................................................................................................... 3 Cortana ................................................................................................................................................................................................................................. 3 Microsoft Edge .................................................................................................................................................................................................................. 4 Gaming & Xbox ................................................................................................................................................................................................................ 5 Built-in apps ....................................................................................................................................................................................................................... 7 Enterprise-grade secure and fast ...................................................................................................................................................................................
  • Quick Start: Microsoft Edge

    Quick Start: Microsoft Edge

    Quick start: Microsoft Edge Get oriented If you’re familiar with Internet Explorer, you’ll have no trouble getting going with Microsoft Edge. Here are the basics. Back and Forward Add a favorite... ...see your favorites Where you expect ‘em. Address bar Same location. Don’t see what you need? Look here. Refresh Reading view Add your notes We moved this and made it bigger. This is new. It changes Draw on this page or take pages for easier reading. a note. Quick start: Microsoft Edge Microsoft Edge makes finding the needles in the internet’s haystack faster and easier. Find answers quickly by typing your question in the address bar. If we’ve got the answer, we’ll show it to you or make a suggestion. 1. Ask your question in the Address bar 2. Find your answer here 3. See other options here Quick start: Microsoft Edge If you’ve got a lot of web reading to do, switch to Reading view and give your eyes a break. Before After Need more contrast or a bigger font? To change settings, select More in the upper-right corner, select Settings, scroll to the Reading section and play with the options. Quick start: Microsoft Edge If you don’t always have internet access, add webpages that you want to read later to your Reading List and you’ll be able to get to them offline, too. 1. Add things to the list 2. Open the list Open a webpage > select the Favorites Hub button > Reading list . button > Reading list > Add.
  • Microsoft Patches Were Evaluated up to and Including CVE-2020-1587

    Microsoft Patches Were Evaluated up to and Including CVE-2020-1587

    Honeywell Commercial Security 2700 Blankenbaker Pkwy, Suite 150 Louisville, KY 40299 Phone: 1-502-297-5700 Phone: 1-800-323-4576 Fax: 1-502-666-7021 https://www.security.honeywell.com The purpose of this document is to identify the patches that have been delivered by Microsoft® which have been tested against Pro-Watch. All the below listed patches have been tested against the current shipping version of Pro-Watch with no adverse effects being observed. Microsoft Patches were evaluated up to and including CVE-2020-1587. Patches not listed below are not applicable to a Pro-Watch system. 2020 – Microsoft® Patches Tested with Pro-Watch CVE-2020-1587 Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability CVE-2020-1584 Windows dnsrslvr.dll Elevation of Privilege Vulnerability CVE-2020-1579 Windows Function Discovery SSDP Provider Elevation of Privilege Vulnerability CVE-2020-1578 Windows Kernel Information Disclosure Vulnerability CVE-2020-1577 DirectWrite Information Disclosure Vulnerability CVE-2020-1570 Scripting Engine Memory Corruption Vulnerability CVE-2020-1569 Microsoft Edge Memory Corruption Vulnerability CVE-2020-1568 Microsoft Edge PDF Remote Code Execution Vulnerability CVE-2020-1567 MSHTML Engine Remote Code Execution Vulnerability CVE-2020-1566 Windows Kernel Elevation of Privilege Vulnerability CVE-2020-1565 Windows Elevation of Privilege Vulnerability CVE-2020-1564 Jet Database Engine Remote Code Execution Vulnerability CVE-2020-1562 Microsoft Graphics Components Remote Code Execution Vulnerability
  • Download Edge Browser for Windows 2012 Download Microsoft Edge Offline Installer for Windows 10, 11

    Download Edge Browser for Windows 2012 Download Microsoft Edge Offline Installer for Windows 10, 11

    download edge browser for windows 2012 Download Microsoft Edge Offline Installer for Windows 10, 11. Download Microsoft Edge's offline installer to install the web browser on multiple computers. Well, if you have been reading tech news for a while, then you might be well aware of the new Edge browser. Microsoft Edge is a new browser released by Microsoft, and it’s based on Chromium Project. The great thing about the new Microsoft Edge browser is that it uses the same Blink engine used by Google Chrome. The Blink engine is also used by some other popular web browsers like Opera, Vivaldi, etc. Microsoft Edge browser comes preinstalled with the latest builds of Windows 10. However, it was missing on the older Windows version such as Windows 7. Windows 8, and Windows 8.1. If you want to use the new Microsoft Edge on an older version of Windows, you need to use the Microsoft Edge installer. Microsoft Edge Installer (Online) Well, Microsoft Edge provides an online installer for downloading Microsoft Edge on the older version of Windows 10. The online installer is small in size, but it requires an active internet connection to download all available files. The good thing about Microsoft Edge online installer is that it downloads the Edge browser’s up-to-date files on your system . So, you don’t need to check for the available updates manually. To download the online installer, check out the download links. Microsoft Edge Offline Installer. If you have multiple computers, then running an online installer would be a waste of time and bandwidth.
  • Lumia with Windows 10 Mobile User Guide

    Lumia with Windows 10 Mobile User Guide

    User Guide Lumia with Windows 10 Mobile Issue 1.1 EN-US About this user guide This guide is the user guide for your software release. Important: For important information on the safe use of your device and battery, read “For your safety” and “Product and safety info” in the printed or in-device user guide, or at www.microsoft.com/mobile/support before you take the device into use. To find out how to get started with your new device, read the printed user guide. For the online user guidance, videos, even more information, and troubleshooting help, go to support.microsoft.com, and browse to the instructions for Windows phones. You can also check out the support videos at www.youtube.com/lumiasupport. Moreover, there's a user guide in your phone – it's always with you, available when needed. To find answers to your questions and to get helpful tips, tap Lumia Help+Tips. If you’re new to Lumia, check out the section for new users. For info on Microsoft Privacy Statement, go to aka.ms/privacy. © 2016 Microsoft Mobile. All rights reserved. 2 User Guide Lumia with Windows 10 Mobile Contents For your safety 5 People & messaging 64 Get started 6 Calls 64 Turn the phone on 6 Contacts 68 Lock the keys and screen 7 Social networks 73 Charge your phone 7 Messages 74 Your first Lumia? 10 Email 78 Learn more about your phone 10 Camera 83 Set up your phone 10 Open your camera quickly 83 Update your apps 11 Camera basics 83 Explore your tiles, apps, and settings 12 Advanced photography 86 Navigate inside an app 14 Photos and videos 88 Use the touch screen
  • Stone Me Into the Groove Download

    Stone Me Into the Groove Download

    Stone me into the groove download Download MP3 Songs Free Online Stone me into the groove by atomic 3 MP3 youtube downloader music free download - Search for your favorite. Stone Me Into The Groove — A Car Crash In The Blue — Atomic Swing. Album cover A Car Crash In The Blue. Download Play now. Artist: Atomic Swing. Convert Youtube ATOMIC SWING / Stone Me Into The Groove to MP3 instantly. Watch the video, get the download or listen to Atomic Swing – Stone Me Into The Groove for free. Stone Me Into The Groove appears on the album A Car Crash. Download free: Atomic Swing Stone Me Into The 3. Please enter the characters you see in the image below: Similar mp3's. Atomic Swing - Stone Me. Download free: Fan Made Stone Me Into The Groove Atomic 3. Please enter the characters you see in the image below. Atomic Groove mp3. Atomic Groove @ Belly Up Tavern Solana Beach CA 6/24/mp3. Play | Download. ATOMIC SWING / Stone Me Into The 3. Deee lite - Groove is in the heart (Botteon 2k17 reWork)**Free Download**.mp3. Play | Download. ATOMIC SWING / Stone Me Into The 3. Switch browsers or download Spotify for your desktop. Stone Me Into The Groove. By Atomic Swing. • 1 song, Play on Spotify. 1. Stone Me Into The. duration: - size: MB. download. listen. embed. Atomic Swing - Stone Me Into the Groove - Playback (Grammisgalan ).mp4 mp3. Find a Atomic Swing - Stone Me Into The Groove first pressing or reissue. Complete your Atomic Swing collection. Shop Vinyl and CDs. Stone Me Into The Groove Lyrics: I woke up and the sun was dressed in blue / The Panavision colours ran out, out in my room / I wanna paint them where ever.
  • Cygwin User's Guide

    Cygwin User's Guide

    Cygwin User’s Guide i Cygwin User’s Guide Cygwin User’s Guide ii Copyright © 1998, 1999, 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011, 2012 Red Hat, Inc. Permission is granted to make and distribute verbatim copies of this documentation provided the copyright notice and this per- mission notice are preserved on all copies. Permission is granted to copy and distribute modified versions of this documentation under the conditions for verbatim copying, provided that the entire resulting derived work is distributed under the terms of a permission notice identical to this one. Permission is granted to copy and distribute translations of this documentation into another language, under the above conditions for modified versions, except that this permission notice may be stated in a translation approved by the Free Software Foundation. Cygwin User’s Guide iii Contents 1 Cygwin Overview 1 1.1 What is it? . .1 1.2 Quick Start Guide for those more experienced with Windows . .1 1.3 Quick Start Guide for those more experienced with UNIX . .1 1.4 Are the Cygwin tools free software? . .2 1.5 A brief history of the Cygwin project . .2 1.6 Highlights of Cygwin Functionality . .3 1.6.1 Introduction . .3 1.6.2 Permissions and Security . .3 1.6.3 File Access . .3 1.6.4 Text Mode vs. Binary Mode . .4 1.6.5 ANSI C Library . .5 1.6.6 Process Creation . .5 1.6.6.1 Problems with process creation . .5 1.6.7 Signals . .6 1.6.8 Sockets . .6 1.6.9 Select .
  • How to Play Movies on Windows 8.1

    How to Play Movies on Windows 8.1

    1 / 5 How To Play Movies On Windows 8.1 ... a DVD player built in, odds are very good that it came with its own software for playing DVDs. Since Windows 8.1 and Windows 10 don't have .... Neither Windows 8.1 or Windows 8 play DVD and Blu-ray movies out of the box. but there are several ways you can use to make your disc playable on the .... Five powerful free apps to play DVDs on Windows 8 · VLC Media Player · GOM Media Player · KMPlayer · XBMC Media Center · Daum PotPlayer.. You'll have problems playing newer media formats like MKV in Windows Media ... clean installs of Windows 10 as well as upgrades to Windows 10 from Windows 8.1 ... Cisdem Video Playeris free software that can play 5K and Full HD movies.. itunes download 64 bit windows 8.1 pro, Jul 14, 2015 · 64bit iTunes works just ... ratings and play counts to your phone or tablet with our simple Windows Sync app. ... Home Sharing now lets you easily transfer songs, movies and TV shows to .... Viewing DVD movies on your windows 8 computer. ... try restarting your device. Your browser can't play .... Gandalf's Windows PE adalah sebuah bootable DVD berbasis Windows 8.1 with ... The game is a brawler based on the movie of the same name, and it features ... You can play as Aragorn, Legolas, Gimli, Frodo, Sam, Merry, Pippin, Gandalf .... The easiest way to play DVDs in Windows 8 or Windows 10 is by installing a third-party DVD player. We recommend the popular VLC media ...
  • An Encrypted Payload Protocol and Target-Side Scripting Engine

    An Encrypted Payload Protocol and Target-Side Scripting Engine

    An Encrypted Payload Protocol and Target-Side Scripting Engine Dino A. Dai Zovi [email protected] Abstract into the remote process and then triggering the vulnera- Modern exploit payloads in commercial and open-source bility (the injection vector) in order to cause the remote penetration testing frameworks have grown much more process to execute the injected code (the payload). Tra- advanced than the traditional shellcode they replaced. ditionally, these payloads have been written in processor- These payloads permit interactive access without launch- specific assembly language, assembled, and extracted by ing a shell, network proxying, and many other rich fea- hand into reusable machine code components. These tures. Available payload frameworks have several lim- payloads were typically small and executed an operating itations, however. They make little use of encryption to system shell, causing them to be commonly referred to secure delivery and communications, especially in earlier as shellcode. Common shellcode variants included func- stage payloads. In addition, their richer features require tionality such as restoring dropped privileges, breaking a constant network connection to the penetration tester, out of chroot environments, and attaching the shell to making them unsuitable against mobile clients, such as an inbound or outbound network connection. This style laptops, PDAs, and smart phones. of payload construction was both labor and skill inten- This work introduces a first-stage exploit payload that sive. is able to securely establish an encrypted channel using With the growth of commercial penetration testing ElGamal key agreement and the RC4 stream cipher. The services and especially commercial penetration test- key agreement implementation requires only modular ing products, exploit payloads have gotten considerably exponentiation and RC4 also lends itself to an implemen- more capable and complex.